[stunnel-users] stunnel sends empty list of trusted CAs

Michal Trojnara Michal.Trojnara at mirt.net
Wed Mar 31 21:07:59 CEST 2010

Sebastian Bork wrote:
> The normal setup is "verify = 3" and the complete certificate chain for
>  each partner is put into the CA path. In most cases, this works without
>  problems. However, in the handshake, after the server certificate is sent
>  and stunnel asks the client to send a client certificate, stunnel sends an
>  empty list of triusted CAs.

You should have implemented it the other way around:
The "cert" option should contain the complete certificate chain of stunnel, and 
"CApath"/"CAfile" should only contain the trusted CA certificate for "verify = 
2", and the trusted peer certificate for "verify = 3".

Basically "cert" option selects certificates to send, and "CApath"/"CAfile" 
options selects certificates to authenticate the other machine.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100331/6217214e/attachment.sig>

More information about the stunnel-users mailing list